TikTok has lost the legal argument on whether it broke EU privacy law by sending European users' data to China, and kept the practical question of what to do about it. Ireland's High Court has upheld a finding from Ireland's Data Protection Commission (DPC), the EU's lead privacy supervisor for the company, that TikTok breached EU rules on international data transfers, and has left in place the €530 million fine that came with that finding. The order that would actually have stopped the transfers, by contrast, has been sent back to the regulator to reconsider.
The split sits at the structural core of how the EU's General Data Protection Regulation (GDPR) plays out when a case reaches a court. National regulators such as Ireland's DPC issue the original findings and any associated fines. A high court hearing a judicial review then decides whether the regulator's reasoning survives. If it does, the court can either enforce or send back the operational measure, the practical order that would change a company's conduct. In the TikTok ruling, the court did both at once. It confirmed liability, let the fine stand, and ordered the DPC to reconsider the suspension order.
In plain terms, a practice the regulator found unlawful can continue while the regulator decides what to do about it. That gap is the mechanism the EU uses to keep regulated companies within reach of an enforceable remedy without freezing business while courts move slowly. In this case it means the conduct at issue is undisturbed while the law has spoken.
For TikTok, the outcome is a partial reprieve with a real cost. The €530 million fine is the penalty in the case, and the court also rejected TikTok's contention that the DPC misapplied EU rules on international data transfers, which closed off the cleanest legal exit. At the same time, the operational consequence the company most feared, the order forcing it to stop sending European user data to China, is being reconsidered rather than enforced.
The underlying concern behind the case has been a familiar one in Western capitals: that data on European users held in China could be reached by the Chinese state. TikTok has consistently denied any improper access, and the Irish ruling has not adjudicated a specific access claim. The court ruled on the transfers that happened regardless of access, and on what EU law required be done about them. In response, TikTok has pointed to Project Clover, a European data-localisation programme that stores EEA user data on servers in Ireland and other European locations, as evidence that European user data now sits on European soil. That programme was already in place when the DPC made its original finding. The corrective measure being reconsidered covers the historical and ongoing transfers, not the future plan.
The procedural backdrop helps explain why the remedy is moving slowly. In November 2025, the High Court granted TikTok a stay on the DPC's original order ([2025] IEHC 619), pausing the regulator's decision pending judicial review. The June 2026 ruling now resolves liability while sending the operational order back to the regulator for reconsideration. The fine-size appeal, by contrast, remains live and was not resolved in this ruling.
The wider enforcement landscape matters here. The DPC, Ireland's national data-protection authority, leads TikTok's GDPR supervision under the regulation's one-stop-shop mechanism because the company's European base sits in Dublin. The European Economic Area (EEA), the EU plus Iceland, Liechtenstein, and Norway, defines the user population the transfers concerned. The DPC's reconsideration of the suspension order will set the practical floor on how non-EU jurisdictions can receive European user data under GDPR.
What to watch next is narrow and concrete: the DPC's reconsideration of the suspension order, the outcome of the fine-size appeal, and any move by TikTok to put Project Clover-style localisation arguments in front of the regulator when it does. Until those resolve, the legal finding holds: TikTok broke EU privacy law by sending European users' data to China. The question of whether the company will be ordered to stop has been returned to the desk of the regulator whose finding survived the court's review.